US20100088745A1 - Method for checking the integrity of large data items rapidly - Google Patents

Method for checking the integrity of large data items rapidly Download PDF

Info

Publication number
US20100088745A1
US20100088745A1 US12/246,144 US24614408A US2010088745A1 US 20100088745 A1 US20100088745 A1 US 20100088745A1 US 24614408 A US24614408 A US 24614408A US 2010088745 A1 US2010088745 A1 US 2010088745A1
Authority
US
United States
Prior art keywords
data
chunks
target data
chunk
digest values
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/246,144
Inventor
Zhexuan Song
Jesus Molina
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujitsu Ltd
Original Assignee
Fujitsu Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujitsu Ltd filed Critical Fujitsu Ltd
Priority to US12/246,144 priority Critical patent/US20100088745A1/en
Assigned to FUJITSU LIMITED reassignment FUJITSU LIMITED ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MOLINA, JESUS, SONG, ZHEXUAN
Publication of US20100088745A1 publication Critical patent/US20100088745A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Definitions

  • the embodiments discussed herein relate to data integrity verification.
  • a widely used mechanism is to load the whole file from the disk and calculate a digest value of the whole file based on a hash-function (e.g. MD5 or SHA1) of the file or data block. The calculated digest value is then compared with the original digest value. If both original and subsequent digest values of the whole file do not match, it is determined that the whole file must have been modified. Otherwise, since the possibility of a collision of digest value is very low and the digest calculation function is an one-way function, if both digest values match, it is safe to believe that the whole file is not modified.
  • a hash-function e.g. MD5 or SHA1
  • the main bottleneck is typically the disk I/O time (99.9% of time for an operation is in reading data from disks).
  • the embodiments substantially increase the speed of or substantially reduce the time for verifying integrity of a large file or data block.
  • the embodiments provide a method, computer readable medium and apparatus thereof, of reading, by a computer, target data and dividing target data into chunks, maintaining initial digest values for each data chunk of the target data, obtaining digest values for a subset of the chunks, based upon the target data, computer comparing the obtained subset of digest values of the target data with corresponding subset of maintained initial digest values, and verifying integrity of the target data according to the comparing.
  • FIG. 1 is a diagram of a computer system embodying the embodiments of the invention.
  • FIG. 2 is a flow chart of verifying integrity of stored data, according to an embodiment of the invention.
  • FIG. 3 is a diagram of another computer system embodying the embodiments of the invention.
  • FIG. 4 is a functional block diagram of a computer for the embodiments of the invention.
  • FIG. 1 is a diagram of a computer system embodying the embodiments, according to an aspect of the invention.
  • a computer system 100 includes a data integrity checker 102 managing, for example, calculating, initial digest values of chunks of a whole file or data block as target data 106 and checking or verifying integrity of the target data 106 based upon the initial digest values.
  • a digest value database 104 stores the initial digest values corresponding to the file or data block as the target data 106 .
  • Target data 106 can be any computer readable information in any format (compressed, not compressed, transformed (encrypted), etc.), such as (without limitation) virtual machine image, multimedia data, such as audio and/or video, images recorded on computer readable recording media, such as DVD, CD, etc.
  • the data integrity checker 102 may reside in a module within the same device and/or in client-server architecture, reside in a remote device as a server in communication over a network with a client device.
  • the data integrity checker 102 is software application in a server 110 checking integrity of target data 107 stored in computer readable recording medium of a client device 120 .
  • a target data digest value manager 108 cooperates or interfaces with the data integrity checker 102 and manages, for example, calculates, digest values based upon the target data 107 stored in the client 120 .
  • the server 110 and client device 120 are in wire and/or wireless network 130 communication.
  • a digest value or hash value is any transformation that takes an input and returns or outputs a string, for example, fixed size string.
  • the transformation can be based upon any hash function (e.g., MD5, SHA1, etc.).
  • FIG. 2 is a flow chart of verifying integrity of stored data, according to an embodiment.
  • Operation 202 provides dividing target data into chunks. Chunk refers to any length of read data.
  • a program can jump to any point of a file and read any length of data out of the file from that point
  • the embodiments use an operating system random read, jump to several places according to selection criteria, and read the selected chunks. Then calculate the hash value of the selected chunks.
  • the embodiments are not limited to operating system random read function or service, but the embodiments treat a whole computer file as one data block and read selected chunks of the one data block.
  • the initial file or data block as target data 106 is divided into n fixed-size chunks (e.g. 1 MByte each), labeled 0 , . . . , n- 1 .
  • a chunk identifier can be assigned to each data chunk, so given a chunk ID i, the start position of the chunk within the target data is i*chunk_size, and the end position of the chunk is (i+1)*chunk_size ⁇ 1.
  • a benefit of the embodiments is that only chunk_size*chunk_ID_size bytes of data is read instead of the full file or data block, thus reducing time of data verification.
  • the embodiments are not limited to a fixed chunk size, and variable chunk sizes can be provided.
  • Operation 204 provides maintaining an initial digest value for each chunk of the target data. For example, at operation 204 , at the checker side 102 , a digest value of each chunk is pre-calculated and stored for verification as stored initial digest values 104 . According to an aspect of an embodiment, the file or data block is delivered or transmitted to client(s) 120 and stored as target data 107 on the client side disk.
  • Operation 206 provides obtaining digest values for a subset of the chunks, based upon the target data 106 ( 107 ).
  • the obtaining of the subset of digest values includes calculating digest values for selected chunks of the target data.
  • the obtaining of the subset of digest values comprises determining a chunk list based upon selecting the chunks and/or a number of the selected chunks of the target data and obtaining the digest values of the chunk list as the subset of digest values.
  • the chunk list is a predetermined list and/or a generated list of chunks of the target data.
  • the selection of chunks and/or the number of selected chunks is controlled randomly and/or based upon one or more parameters dynamically and/or in real-time.
  • the parameter is a data area or chunk modifiability characteristic of the target data, chunk size, random (e.g., random chunk selection and/or random number of chunks), verification time (e.g., variable periodic verification of target data, chunk selection and/or number of chunks), and/or user defined.
  • time parameter any of the other parameters can be varied as a function of time (e.g., time of day, day, year, etc.).
  • the checker 102 at the server 110 when it is time to check the integrity of the target file or data block 107 at a client 120 , the checker 102 at the server 110 first provides a list of chunk IDs to the target data digest value obtainer 108 at the client 120 . Typically, this list is a subset of the entire chunk ID list. Then the target data digest value obtainer 108 at the client 120 , obtains, for example, calculates, the digest value of selected chunks using the chunk IDs from the list provided from the checker 102 at the server 110 .
  • the obtained chunk digest values corresponding to the list of chunk IDs is then put together into a new data block as concatenated target digest value, and a digest value of the concatenated digest value is calculated.
  • the final result is then sent to the checker 102 .
  • Operation 208 provides comparing the obtained subset of digest values of the target data 106 ( 107 ) with corresponding subset of maintained initial digest values.
  • Operation 210 determines whether the corresponding subset of initial digest values match the obtained subset of digest values. For example, at operation 208 , the checker 102 does a calculation based upon initial digest values similar to calculation of the concatenated digest value based upon the target data 106 or 107 .
  • the checker 102 picks the pre-calculated or initial chunk digest values of the given chunk ID list, puts them together in one data block as an concatenated initial digest value and calculates the digest value of the concatenated initial digest value.
  • the checker 102 compares the concatenated initial digest value with the concatenated target digest value, for example, from the client 120 . If, at operation 210 , both results do not match, the file or data block, for example, at the client side 120 must have been modified, so at operation 212 , the target data 107 integrity verification fails. If at operation 210 , the results match, the file or data block at the client side 120 is very likely unchanged, so at operation 214 , the target data 107 verification is acceptable or successful. While the possibility of a false-accept (i.e. the file or data block is modified, but the check result shows unmodified) is higher than the possibility that results from calculating the digest value for the complete file or data block, however, the embodiments decrease the possibility of false-accepts as discussed herein.
  • the obtaining of the subset of digest values by determining a chunk list based upon selecting the chunks and/or a number of the selected chunks of the target data and obtaining the digest values of the chunk list as the subset of digest values.
  • the selection of the chunks and/or the number of chunks is controllable randomly and/or based upon parameters, providing a benefit of reducing false accepts or increasing accuracy of the data integrity verification.
  • the chunk list is dynamically and/or real-time controllable.
  • an alternative method of selecting chunks for digest value calculation is to pre-define a pseudo-random number generator, for example, for the client 120 .
  • the client 120 uses a seed, for example, a current timestamp as the seed, for the generator and generates a list of chunk IDs.
  • the size of the list can be pre-defined or dynamically and/or real-time determined.
  • the client 120 sends a result and the timestamp to the checker 102 and the checker 102 will use the same seed (e.g., timestamp) and a pseudo-random number generator to generate the same chunk list and do the verification.
  • This alternative method does not need the initial chunk ID list from the checker 102 , providing a benefit of a single communication loop between the data integrity checker 102 and the target data digest value obtainer 108 .
  • FIG. 3 is a diagram of another computer system embodying the embodiments of the invention.
  • the computer system 300 includes a server 110 and a client 120 .
  • a virtual machine image (VMI) 302 ( 304 ) is used as an example target data 106 ( 107 ) respectively.
  • the client 120 includes a virtual machine manager (VMM) 306 executing or launching a VMI 304 as a virtual machine 306 .
  • VMI virtual machine image
  • the data integrity checker 102 divides the VMI 302 into chunks and maintains initial digest values of the chunks. Then, the server 110 can provide or transmit the VMI 302 to the client 120 .
  • the data integrity checker 102 in cooperation with the target data digest value obtainer 108 checks or verifies integrity of the VMI 304 .
  • VMI virtual machine image
  • certain parts of the VMI 304 are more likely to be modified than the rest or other parts during execution.
  • the checker 102 can pick more chunks at those frequently modified parts of the VMI 304 to detect any changes than from the rest of the VMI 304 . For example, chunk selection according to likelihood of unauthorized modification can be done without inspecting the contents of the file by using metrics based on entropy.
  • the VMI 302 or 304 are read-only. There are several ways to achieve this read-only feature, 1) certain VMMs support this read-only function by restoring the VMI images back to initial state after turning off the VMM 306 , 2) controlled via the file system by, for example, before launching the VMI, creating a snapshot of the VMI 304 , and after turning off the VMM 306 , restore to the snapshot.
  • one or more data area modifiability characteristics controlling selection and/or number of chunks includes secured or protected data areas (e.g., operating system area), virus targeted data areas, user prohibited data areas, fixed data areas, data area activity metric, or any combinations thereof of the target data.
  • the data area modifiability characteristics are not limited to VMIs, and can be applied for any target data 106 ( 107 ) as the case may be. For example, verification of virus targeted data areas can be controlled in relation to timing of virus attacks.
  • the size of and/or the number of chunks can be dynamically and/or real-time controllable based upon testing of computing environment, application criteria (e.g., security level) and/or user defined, for example, determined based upon time that a user is willing to wait for the verification. For example, if the expected time limit is 10 seconds and reading each chunk takes 100 ms, then the size of the chunk ID list should not exceed 100 .
  • the checker 110 may determine the size by obtaining the required information from the client before verification. Generally, the more chunks that are picked during verification, the lower the possibility for false-accept results, but the longer the waiting time for the verification.
  • the false-accept rate is controllable according chunk size, number of chunks, chunk selection parameter, user defined (e.g., user can specify false-accept tolerance, matching tolerance at operation 210 ), or any combinations thereof.
  • one way to lower the false-accept rate is to do a periodical check on the target data 106 ( 107 ). Further, the timing of the periodic checks can be varied. Further, every time, a new chunk_ID_list can be randomly selected, so the probability of missing a modification decreases over time.
  • This invention provides a method to check the consistency of a file or data block in a time-flexible way. If the expected checking time is not limited, this method is equivalent to the full file/data block digest value verification. If the checking time needs to be less than a maximum limit, this method will decrease the amount of data read from the disk, thus reducing and controlling the total verification time. The tradeoff is that the possibility of false-accept increases.
  • a benefit of the embodiments is for use in connection with time-limited applications or in general applications where the size of files or data blocks becomes very large.
  • the embodiments can be used in virtual machine based trusted computing to check the consistency of a large VM disk images, in a non-limiting example, (>10 GByte) and VM memory images, in a non-limiting example, (>1 GByte).
  • the embodiments can also be used to check the integrity of a data CD if the CD is treated as one ISO data block. Further, the embodiments provide a benefit of verifying data integrity before transmitting data, stored data and/or before executing a file (e.g., in case of VMI 302 , 304 ).
  • any troubleshooting for example, virus attack troubleshooting, application debugging, can be directed to selected area(s) or selected chunks of the target data for which the digest values did not match the initial digest values.
  • a chunk related parameter can be adjusted according to application criteria, user defined, and/or other parameters.
  • FIG. 4 is a functional block diagram of a computer for the embodiments of the invention.
  • the computer can be any computing device.
  • the computer includes a display or output unit 402 to display a user interface or output information or indications, such as a diode.
  • a computer controller 404 e.g., a hardware central processing unit
  • executes instructions e.g., a computer program or software that control the apparatus to perform operations.
  • a memory 406 stores the instructions for execution by the controller 404 .
  • a Trusted Platform Module 407 can be provided.
  • the apparatus reads/processes any computer readable recording media and/or communication transmission media 410 .
  • the display 402 , the CPU 404 , the memory 406 and the computer readable media 410 are in communication by the data bus 408 . Any results produced can be displayed on a display of the computing hardware.
  • a program/software implementing the embodiments may be recorded on computer-readable media comprising computer-readable recording media.
  • the program/software implementing the embodiments may also be transmitted over transmission communication media.
  • Examples of the computer-readable recording media include a magnetic recording apparatus, an optical disk, a magneto-optical disk, and/or a semiconductor memory (for example, RAM, ROM, etc.).
  • Examples of the magnetic recording apparatus include a hard disk device (HDD), a flexible disk (FD), and a magnetic tape (MT).
  • Examples of the optical disk include a DVD (Digital Versatile Disc), a DVD-RAM, a CD-ROM (Compact Disc—Read Only Memory), and a CD-R (Recordable)/RW.
  • An example of communication media includes a carrier-wave signal.
  • the embodiments provide a computer system comprising a server computer in communication with a client computer, wherein the client computer comprises a computer controller executing selecting data chunks of target data and obtaining digest values of the selected data chunks, based upon the target data, and wherein the server computer comprises a computer controller executing comparing the digest values of the selected data chunks with corresponding maintained initial digest values of the target data, and verifying integrity of the target data according to the comparing.
  • the selecting of the data chunks is based upon one or more chunk selection parameters including data chunk size, number of data chunks, verification timing, data chunk modifiability characteristic, user defined, security information (e.g.
  • security level of user target data and/or computing environment (e.g., TPM 407 availability, protectability of selected chunk list), or any combinations thereof.
  • TPM 407 availability, protectability of selected chunk list e.g., TPM 407 availability, protectability of selected chunk list
  • Any of the chunk selection parameters can be provided or determined according testing (e.g., testing of computing environment), application criteria (e.g., security level) and/or user defined.
  • the target data can be a virtual machine image, and the data chunk modifiability characteristic includes secured data areas, virus targeted data areas, user prohibited data areas, fixed data areas, data area activity metric, or any combinations thereof of the target data.
  • the computer server controller further executes dividing the target data stored on computer readable recording medium into chunks, maintaining the initial digest values for each divided data chunk of the target data, transmitting the target data to the client computer, and selecting data chunks for which digest values are to be obtained and transmitting a list of selected data chunks to the client computer.
  • the client computer obtains the digest values of the data chunks of the target data stored in the client computer, based upon the list of selected data chunks.
  • the target data 106 , 302 can be removed/deleted until a new updated target data is available subject to integrity verification.
  • the list of selected data chunks can be protected by the TPM 407 .

Abstract

The embodiments read, by a computer, target data and divide the target data into chunks. Initial digest values for each chunk of the target data are maintained. Digest values for a subset of the chunks, based upon the target data, is obtained. And a computer compares the obtained subset of digest values of the target data with corresponding subset of maintained initial digest values and verifies integrity of the target data according to the comparison.

Description

    BACKGROUND
  • 1. Field
  • The embodiments discussed herein relate to data integrity verification.
  • 2. Description of the Related Art
  • Currently, for example, in order to check whether a file stored on a hard disk drive at a computer has been modified from its initial value, a widely used mechanism is to load the whole file from the disk and calculate a digest value of the whole file based on a hash-function (e.g. MD5 or SHA1) of the file or data block. The calculated digest value is then compared with the original digest value. If both original and subsequent digest values of the whole file do not match, it is determined that the whole file must have been modified. Otherwise, since the possibility of a collision of digest value is very low and the digest calculation function is an one-way function, if both digest values match, it is safe to believe that the whole file is not modified.
  • However, for a large file, it takes a very long period of time to calculate the digest value (sometimes several minutes or longer). The main bottleneck is typically the disk I/O time (99.9% of time for an operation is in reading data from disks).
    • SUMMARY
  • It is an aspect of the embodiments discussed herein to provide a method, including apparatus/machine (computer) and computer readable media thereof, of verifying integrity of data. According to an aspect of an embodiment, the embodiments substantially increase the speed of or substantially reduce the time for verifying integrity of a large file or data block.
  • The embodiments provide a method, computer readable medium and apparatus thereof, of reading, by a computer, target data and dividing target data into chunks, maintaining initial digest values for each data chunk of the target data, obtaining digest values for a subset of the chunks, based upon the target data, computer comparing the obtained subset of digest values of the target data with corresponding subset of maintained initial digest values, and verifying integrity of the target data according to the comparing.
  • These together with other aspects and advantages which will be subsequently apparent, reside in the details of construction and operation as more fully hereinafter described and claimed, reference being had to the accompanying drawings forming a part hereof, wherein like numerals refer to like parts throughout.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a diagram of a computer system embodying the embodiments of the invention.
  • FIG. 2 is a flow chart of verifying integrity of stored data, according to an embodiment of the invention.
  • FIG. 3 is a diagram of another computer system embodying the embodiments of the invention.
  • FIG. 4 is a functional block diagram of a computer for the embodiments of the invention.
    •  DETAILED DESCRIPTION OF THE EMBODIMENTS
  • FIG. 1 is a diagram of a computer system embodying the embodiments, according to an aspect of the invention. In FIG. 1, a computer system 100 includes a data integrity checker 102 managing, for example, calculating, initial digest values of chunks of a whole file or data block as target data 106 and checking or verifying integrity of the target data 106 based upon the initial digest values. A digest value database 104 stores the initial digest values corresponding to the file or data block as the target data 106. Target data 106 can be any computer readable information in any format (compressed, not compressed, transformed (encrypted), etc.), such as (without limitation) virtual machine image, multimedia data, such as audio and/or video, images recorded on computer readable recording media, such as DVD, CD, etc. According to an aspect of an embodiment the data integrity checker 102 may reside in a module within the same device and/or in client-server architecture, reside in a remote device as a server in communication over a network with a client device. For example, in FIG. 1, the data integrity checker 102 is software application in a server 110 checking integrity of target data 107 stored in computer readable recording medium of a client device 120. A target data digest value manager 108 cooperates or interfaces with the data integrity checker 102 and manages, for example, calculates, digest values based upon the target data 107 stored in the client 120. The server 110 and client device 120 are in wire and/or wireless network 130 communication. According to an aspect of an embodiment, a digest value or hash value is any transformation that takes an input and returns or outputs a string, for example, fixed size string. The transformation can be based upon any hash function (e.g., MD5, SHA1, etc.).
  • FIG. 2 is a flow chart of verifying integrity of stored data, according to an embodiment. Operation 202 provides dividing target data into chunks. Chunk refers to any length of read data. According to an aspect of an embodiment, when operating system supports a random read of a file, i.e. a program can jump to any point of a file and read any length of data out of the file from that point, the embodiments use an operating system random read, jump to several places according to selection criteria, and read the selected chunks. Then calculate the hash value of the selected chunks. However, the embodiments are not limited to operating system random read function or service, but the embodiments treat a whole computer file as one data block and read selected chunks of the one data block. For example, at operation 202, the initial file or data block as target data 106 (107) is divided into n fixed-size chunks (e.g. 1 MByte each), labeled 0, . . . , n-1. A chunk identifier can be assigned to each data chunk, so given a chunk ID i, the start position of the chunk within the target data is i*chunk_size, and the end position of the chunk is (i+1)*chunk_size −1. A benefit of the embodiments is that only chunk_size*chunk_ID_size bytes of data is read instead of the full file or data block, thus reducing time of data verification. However, the embodiments are not limited to a fixed chunk size, and variable chunk sizes can be provided.
  • Operation 204 provides maintaining an initial digest value for each chunk of the target data. For example, at operation 204, at the checker side 102, a digest value of each chunk is pre-calculated and stored for verification as stored initial digest values 104. According to an aspect of an embodiment, the file or data block is delivered or transmitted to client(s) 120 and stored as target data 107 on the client side disk.
  • Operation 206 provides obtaining digest values for a subset of the chunks, based upon the target data 106 (107). For example, the obtaining of the subset of digest values includes calculating digest values for selected chunks of the target data. For example, the obtaining of the subset of digest values comprises determining a chunk list based upon selecting the chunks and/or a number of the selected chunks of the target data and obtaining the digest values of the chunk list as the subset of digest values. For example, the chunk list is a predetermined list and/or a generated list of chunks of the target data. For example, the selection of chunks and/or the number of selected chunks is controlled randomly and/or based upon one or more parameters dynamically and/or in real-time. For example, the parameter is a data area or chunk modifiability characteristic of the target data, chunk size, random (e.g., random chunk selection and/or random number of chunks), verification time (e.g., variable periodic verification of target data, chunk selection and/or number of chunks), and/or user defined. Regarding time parameter, any of the other parameters can be varied as a function of time (e.g., time of day, day, year, etc.).
  • According to an aspect of an embodiment, when it is time to check the integrity of the target file or data block 107 at a client 120, the checker 102 at the server 110 first provides a list of chunk IDs to the target data digest value obtainer 108 at the client 120. Typically, this list is a subset of the entire chunk ID list. Then the target data digest value obtainer 108 at the client 120, obtains, for example, calculates, the digest value of selected chunks using the chunk IDs from the list provided from the checker 102 at the server 110. According to an aspect of an embodiment, the obtained chunk digest values corresponding to the list of chunk IDs is then put together into a new data block as concatenated target digest value, and a digest value of the concatenated digest value is calculated. The final result is then sent to the checker 102.
  • Operation 208 provides comparing the obtained subset of digest values of the target data 106 (107) with corresponding subset of maintained initial digest values. Operation 210 determines whether the corresponding subset of initial digest values match the obtained subset of digest values. For example, at operation 208, the checker 102 does a calculation based upon initial digest values similar to calculation of the concatenated digest value based upon the target data 106 or 107. The checker 102 picks the pre-calculated or initial chunk digest values of the given chunk ID list, puts them together in one data block as an concatenated initial digest value and calculates the digest value of the concatenated initial digest value. The checker 102 then compares the concatenated initial digest value with the concatenated target digest value, for example, from the client 120. If, at operation 210, both results do not match, the file or data block, for example, at the client side 120 must have been modified, so at operation 212, the target data 107 integrity verification fails. If at operation 210, the results match, the file or data block at the client side 120 is very likely unchanged, so at operation 214, the target data 107 verification is acceptable or successful. While the possibility of a false-accept (i.e. the file or data block is modified, but the check result shows unmodified) is higher than the possibility that results from calculating the digest value for the complete file or data block, however, the embodiments decrease the possibility of false-accepts as discussed herein.
  • According to an aspect of an embodiment, the obtaining of the subset of digest values by determining a chunk list based upon selecting the chunks and/or a number of the selected chunks of the target data and obtaining the digest values of the chunk list as the subset of digest values. The selection of the chunks and/or the number of chunks is controllable randomly and/or based upon parameters, providing a benefit of reducing false accepts or increasing accuracy of the data integrity verification. Further, the chunk list is dynamically and/or real-time controllable. According to an aspect of an embodiment, at operation 206, an alternative method of selecting chunks for digest value calculation, is to pre-define a pseudo-random number generator, for example, for the client 120. First the client 120 uses a seed, for example, a current timestamp as the seed, for the generator and generates a list of chunk IDs. The size of the list can be pre-defined or dynamically and/or real-time determined. After obtaining, for example, calculating digest values of the chunk IDs in the generated list, the client 120 sends a result and the timestamp to the checker 102 and the checker 102 will use the same seed (e.g., timestamp) and a pseudo-random number generator to generate the same chunk list and do the verification. This alternative method does not need the initial chunk ID list from the checker 102, providing a benefit of a single communication loop between the data integrity checker 102 and the target data digest value obtainer 108.
  • FIG. 3 is a diagram of another computer system embodying the embodiments of the invention. In FIG. 3, the computer system 300 includes a server 110 and a client 120. A virtual machine image (VMI) 302 (304) is used as an example target data 106 (107) respectively. The client 120 includes a virtual machine manager (VMM) 306 executing or launching a VMI 304 as a virtual machine 306. According to an aspect of an embodiment, at operations 202 and 204, at the server 110, the data integrity checker 102 divides the VMI 302 into chunks and maintains initial digest values of the chunks. Then, the server 110 can provide or transmit the VMI 302 to the client 120. At client 120, before VMM 306 releases (or launches) the VMI 304, the data integrity checker 102 in cooperation with the target data digest value obtainer 108 checks or verifies integrity of the VMI 304. Under some circumstances, such as for a virtual machine image (VMI) 304 as the target data 107, certain parts of the VMI 304 are more likely to be modified than the rest or other parts during execution. In order to lower the false-accept error, the checker 102 can pick more chunks at those frequently modified parts of the VMI 304 to detect any changes than from the rest of the VMI 304. For example, chunk selection according to likelihood of unauthorized modification can be done without inspecting the contents of the file by using metrics based on entropy. According to an aspect of an embodiment, the VMI 302 or 304 are read-only. There are several ways to achieve this read-only feature, 1) certain VMMs support this read-only function by restoring the VMI images back to initial state after turning off the VMM 306, 2) controlled via the file system by, for example, before launching the VMI, creating a snapshot of the VMI 304, and after turning off the VMM 306, restore to the snapshot.
  • According to an aspect of an embodiment, when the target data is a virtual machine image (VMI), one or more data area modifiability characteristics controlling selection and/or number of chunks includes secured or protected data areas (e.g., operating system area), virus targeted data areas, user prohibited data areas, fixed data areas, data area activity metric, or any combinations thereof of the target data. However, the data area modifiability characteristics are not limited to VMIs, and can be applied for any target data 106 (107) as the case may be. For example, verification of virus targeted data areas can be controlled in relation to timing of virus attacks.
  • The size of and/or the number of chunks can be dynamically and/or real-time controllable based upon testing of computing environment, application criteria (e.g., security level) and/or user defined, for example, determined based upon time that a user is willing to wait for the verification. For example, if the expected time limit is 10 seconds and reading each chunk takes 100 ms, then the size of the chunk ID list should not exceed 100. The checker 110 may determine the size by obtaining the required information from the client before verification. Generally, the more chunks that are picked during verification, the lower the possibility for false-accept results, but the longer the waiting time for the verification. If the place of modification on the file is uniformly distributed, the possibility of false-accept is (1−chunk_ID_list/total_chunks). If there are N chunks that have been modified, the possibility of being detected will be 1−(1-size_of_chunk_ID_list/number_of_total_chunks)̂N. According to an aspect of an embodiments, the false-accept rate is controllable according chunk size, number of chunks, chunk selection parameter, user defined (e.g., user can specify false-accept tolerance, matching tolerance at operation 210), or any combinations thereof.
  • According to an aspect of an embodiment, one way to lower the false-accept rate is to do a periodical check on the target data 106 (107). Further, the timing of the periodic checks can be varied. Further, every time, a new chunk_ID_list can be randomly selected, so the probability of missing a modification decreases over time.
  • This invention provides a method to check the consistency of a file or data block in a time-flexible way. If the expected checking time is not limited, this method is equivalent to the full file/data block digest value verification. If the checking time needs to be less than a maximum limit, this method will decrease the amount of data read from the disk, thus reducing and controlling the total verification time. The tradeoff is that the possibility of false-accept increases. A benefit of the embodiments is for use in connection with time-limited applications or in general applications where the size of files or data blocks becomes very large. For example, the embodiments can be used in virtual machine based trusted computing to check the consistency of a large VM disk images, in a non-limiting example, (>10 GByte) and VM memory images, in a non-limiting example, (>1 GByte). The embodiments can also be used to check the integrity of a data CD if the CD is treated as one ISO data block. Further, the embodiments provide a benefit of verifying data integrity before transmitting data, stored data and/or before executing a file (e.g., in case of VMI 302, 304).
  • According to an aspect of an embodiment, by selectively reading chunks of target data and verifying integrity of the target data, at operation 212, upon verification failure, any troubleshooting, for example, virus attack troubleshooting, application debugging, can be directed to selected area(s) or selected chunks of the target data for which the digest values did not match the initial digest values. According to an aspect of an embodiment, at operation 212 and/or 214, a chunk related parameter can be adjusted according to application criteria, user defined, and/or other parameters.
  • Any combinations of the described features, functions and/or operations can be provided. The embodiments can be implemented in computing hardware (computing apparatus) and/or software, such as (in a non-limiting example) any computer that can store, retrieve, process and/or output data and/or communicate with other computers. FIG. 4 is a functional block diagram of a computer for the embodiments of the invention. In FIG. 4, the computer can be any computing device. Typically, the computer includes a display or output unit 402 to display a user interface or output information or indications, such as a diode. A computer controller 404 (e.g., a hardware central processing unit) executes instructions (e.g., a computer program or software) that control the apparatus to perform operations. Typically, a memory 406 stores the instructions for execution by the controller 404. A Trusted Platform Module 407 can be provided. According to an aspect of an embodiment, the apparatus reads/processes any computer readable recording media and/or communication transmission media 410. The display 402, the CPU 404, the memory 406 and the computer readable media 410 are in communication by the data bus 408. Any results produced can be displayed on a display of the computing hardware.
  • A program/software implementing the embodiments may be recorded on computer-readable media comprising computer-readable recording media. The program/software implementing the embodiments may also be transmitted over transmission communication media. Examples of the computer-readable recording media include a magnetic recording apparatus, an optical disk, a magneto-optical disk, and/or a semiconductor memory (for example, RAM, ROM, etc.). Examples of the magnetic recording apparatus include a hard disk device (HDD), a flexible disk (FD), and a magnetic tape (MT). Examples of the optical disk include a DVD (Digital Versatile Disc), a DVD-RAM, a CD-ROM (Compact Disc—Read Only Memory), and a CD-R (Recordable)/RW. An example of communication media includes a carrier-wave signal.
  • The embodiments provide a computer system comprising a server computer in communication with a client computer, wherein the client computer comprises a computer controller executing selecting data chunks of target data and obtaining digest values of the selected data chunks, based upon the target data, and wherein the server computer comprises a computer controller executing comparing the digest values of the selected data chunks with corresponding maintained initial digest values of the target data, and verifying integrity of the target data according to the comparing. The selecting of the data chunks is based upon one or more chunk selection parameters including data chunk size, number of data chunks, verification timing, data chunk modifiability characteristic, user defined, security information (e.g. security level of user, target data and/or computing environment (e.g., TPM 407 availability, protectability of selected chunk list), or any combinations thereof. Any of the chunk selection parameters can be provided or determined according testing (e.g., testing of computing environment), application criteria (e.g., security level) and/or user defined.
  • The target data can be a virtual machine image, and the data chunk modifiability characteristic includes secured data areas, virus targeted data areas, user prohibited data areas, fixed data areas, data area activity metric, or any combinations thereof of the target data. The computer server controller further executes dividing the target data stored on computer readable recording medium into chunks, maintaining the initial digest values for each divided data chunk of the target data, transmitting the target data to the client computer, and selecting data chunks for which digest values are to be obtained and transmitting a list of selected data chunks to the client computer. The client computer obtains the digest values of the data chunks of the target data stored in the client computer, based upon the list of selected data chunks. According to an aspect of an embodiment, once the initial digest values of the chunks of the target data are obtained and maintained, for example, stored, the target data 106, 302 can be removed/deleted until a new updated target data is available subject to integrity verification. The list of selected data chunks can be protected by the TPM 407.
  • The many features and advantages of the embodiments are apparent from the detailed specification and, thus, it is intended by the appended claims to cover all such features and advantages of the embodiments that fall within the true spirit and scope thereof. Further, since numerous modifications and changes will readily occur to those skilled in the art, it is not desired to limit the inventive embodiments to the exact construction and operation illustrated and described, and accordingly all suitable modifications and equivalents may be resorted to, falling within the scope thereof.

Claims (17)

1. A method, comprising:
reading, by a computer, target data and dividing the target data into chunks;
maintaining initial digest values for each chunk of the target data;
obtaining digest values for a subset of the chunks, based upon the target data;
computer comparing the obtained subset of digest values of the target data with corresponding subset of maintained initial digest values; and
verifying integrity of the target data according to the comparing.
2. The method according to claim 1, wherein the obtaining of the subset of digest values comprises calculating digest values for selected chunks of the target data.
3. The method according to claim 1, wherein the obtaining of the subset of digest values comprises determining a chunk list based upon selecting the chunks and/or a number of the selected chunks of the target data and obtaining the digest values of the chunk list as the subset of digest values.
4. The method according to claim 3, wherein the chunk list is a predetermined list and/or a generated list of chunks of the target data.
5. The method according to claim 3, wherein the selection of chunks and/or the number of selected chunks is controlled randomly and/or based upon one or more parameters.
6. The method according to claim 5, wherein the parameter is adjustable automatically and/or user defined and includes one or more of chunk modifiability characteristic, chunk size, number of chunks, verification timing, or any combinations thereof.
7. The method according to claim 6, wherein the target data is a virtual machine image, and chunk modifiability characteristic includes secured data areas, virus targeted data areas, user prohibited data areas, fixed data areas, data area activity metric, or any combinations thereof of the target data.
8. The method according to claim 1, further comprising controlling a false-accept rate of the verifying according to one or more user defined and/or automatically determined adjustable chunk selection parameters including chunk size, number of chunks, verification timing, chunk modifiability characteristic, security information, user defined, or any combinations thereof.
9. An apparatus in communication with a computer readable recording medium, comprising:
a computer controller executing
dividing target data stored on the computer readable recording medium into chunks and maintaining initial digest values for each chunk of the target data;
subsequently selecting chunks of the target data and obtaining digest values of the selected chunks, based upon the target data;
comparing the digest values of the selected chunks with corresponding maintained initial digest values of the target data; and
verifying integrity of the target data according to the comparing.
10. The apparatus according to claim 9, wherein the selecting of the chunks is based upon one or more selection parameters including chunk size, number of chunks, verification timing, chunk modifiability characteristic, security information, user defined, or any combinations thereof.
11. The apparatus according to claim 10, wherein the target data is a virtual machine image, and the chunk modifiability characteristic includes secured data areas, virus targeted data areas, user prohibited data areas, fixed data areas, data area activity metric, or any combinations thereof of the target data.
12. The apparatus according to claim 9, wherein the integrity verifying comprises troubleshooting according to the subset of the chunks.
13. The apparatus according to claim 9, wherein the comparing comprising concatenating the initial and the selected chunk digest values into concatenated initial and selected chunk digest values, respectively, and comparing the concatenated initial digest value with the concatenated selected chunk digest value.
14. A computer system comprising:
a server computer in communication with a client computer,
wherein the client computer comprises
a computer controller executing
selecting data chunks of target data and obtaining digest values of the selected data chunks, based upon the target data, and
wherein the server computer comprises
a computer controller executing
comparing the digest values of the selected data chunks with corresponding maintained initial digest values of the target data, and
verifying integrity of the target data according to the comparing.
15. The computer system according to claim 14, wherein the selecting of the data chunks is based upon one or more selection parameters including data chunk size, number of data chunks, verification timing, data chunk modifiability characteristic, security information, user defined, or any combinations thereof.
16. The computer system according to claim 15, wherein the target data is a virtual machine image, and the data chunk modifiability characteristic includes secured data areas, virus targeted data areas, user prohibited data areas, fixed data areas, data area activity metric, or any combinations thereof of the target data.
17. The computer system according to claim 15,
wherein the computer server controller further executes:
dividing the target data stored on computer readable recording medium into chunks,
maintaining the initial digest values for each divided data chunk of the target data,
transmitting the target data to the client computer, and
selecting data chunks for which digest values are to be obtained and transmitting a list of selected data chunks to the client computer,
wherein the client computer obtains the digest values of the data chunks of the target data stored in the client computer, based upon the list of selected data chunks.
US12/246,144 2008-10-06 2008-10-06 Method for checking the integrity of large data items rapidly Abandoned US20100088745A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/246,144 US20100088745A1 (en) 2008-10-06 2008-10-06 Method for checking the integrity of large data items rapidly

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US12/246,144 US20100088745A1 (en) 2008-10-06 2008-10-06 Method for checking the integrity of large data items rapidly

Publications (1)

Publication Number Publication Date
US20100088745A1 true US20100088745A1 (en) 2010-04-08

Family

ID=42076867

Family Applications (1)

Application Number Title Priority Date Filing Date
US12/246,144 Abandoned US20100088745A1 (en) 2008-10-06 2008-10-06 Method for checking the integrity of large data items rapidly

Country Status (1)

Country Link
US (1) US20100088745A1 (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100130253A1 (en) * 2008-11-25 2010-05-27 Research In Motion Limited System and method for over-the-air software loading in mobile device
US20120266246A1 (en) * 2011-04-13 2012-10-18 International Business Machines Corporation Pinpointing security vulnerabilities in computer software applications
US20120324236A1 (en) * 2011-06-16 2012-12-20 Microsoft Corporation Trusted Snapshot Generation
US8584235B2 (en) 2011-11-02 2013-11-12 Bitdefender IPR Management Ltd. Fuzzy whitelisting anti-malware systems and methods
US20140006868A1 (en) * 2012-06-29 2014-01-02 National Instruments Corporation Test Executive System With Offline Results Processing
GB2504134A (en) * 2012-07-20 2014-01-22 Metaswitch Networks Ltd Anti-virus checking of large multimedia messages
US20140149359A1 (en) * 2012-11-29 2014-05-29 Inventec Corporation System for verifying correctness of data when data are requested and method thereof
US20140279943A1 (en) * 2013-03-18 2014-09-18 Fujitsu Limited File system verification method and information processing apparatus
US20150058625A1 (en) * 2013-08-23 2015-02-26 Qualcomm Incorporated Secure content delivery using hashing of pre-coded packets
US20150169901A1 (en) * 2013-12-12 2015-06-18 Sandisk Technologies Inc. Method and Systems for Integrity Checking a Set of Signed Data Sections
US20150302196A1 (en) * 2014-04-16 2015-10-22 Microsoft Corporation Local System Health Assessment
US20160057199A1 (en) * 2014-08-21 2016-02-25 Facebook, Inc. Systems and methods for transmitting a media file in multiple portions
US9696940B1 (en) * 2013-12-09 2017-07-04 Forcepoint Federal Llc Technique for verifying virtual machine integrity using hypervisor-based memory snapshots
US9734325B1 (en) 2013-12-09 2017-08-15 Forcepoint Federal Llc Hypervisor-based binding of data to cloud environment for improved security
US9785492B1 (en) 2013-12-09 2017-10-10 Forcepoint Llc Technique for hypervisor-based firmware acquisition and analysis
CN109768853A (en) * 2018-12-29 2019-05-17 百富计算机技术(深圳)有限公司 A kind of key component verification method, device and terminal device
WO2020036887A1 (en) * 2018-08-17 2020-02-20 Microchip Technology Incorporated Authentication of files
WO2020094063A1 (en) * 2018-11-06 2020-05-14 中兴通讯股份有限公司 Data storage method and device, storage medium and electronic device
US11023329B1 (en) * 2012-09-05 2021-06-01 Acronis International Gmbh Systems and methods for the recovery of virtual machines
US11455277B2 (en) 2019-03-27 2022-09-27 Nutanix Inc. Verifying snapshot integrity

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5745678A (en) * 1994-12-13 1998-04-28 International Business Machines Corporation Method and system for the secured distribution of multimedia titles
US6021510A (en) * 1997-11-24 2000-02-01 Symantec Corporation Antivirus accelerator
US6748538B1 (en) * 1999-11-03 2004-06-08 Intel Corporation Integrity scanner
US20040117616A1 (en) * 2002-12-16 2004-06-17 Silvester Kelan C. Method and mechanism for validating legitimate software calls into secure software
US20050132122A1 (en) * 2003-12-16 2005-06-16 Rozas Carlos V. Method, apparatus and system for monitoring system integrity in a trusted computing environment
US20050235154A1 (en) * 1999-06-08 2005-10-20 Intertrust Technologies Corp. Systems and methods for authenticating and protecting the integrity of data streams and other data
US20060026441A1 (en) * 2004-08-02 2006-02-02 Aaron Jeffrey A Methods, systems and computer program products for detecting tampering of electronic equipment by varying a verification process
US7120802B2 (en) * 1996-08-12 2006-10-10 Intertrust Technologies Corp. Systems and methods for using cryptography to protect secure computing environments
US20070198838A1 (en) * 2004-04-02 2007-08-23 Masao Nonaka Unauthorized Contents Detection System
US20070204153A1 (en) * 2006-01-04 2007-08-30 Tome Agustin J Trusted host platform
US7325145B1 (en) * 2000-02-18 2008-01-29 Microsoft Corporation Verifying the presence of an original data storage medium
US20080168564A1 (en) * 2007-01-08 2008-07-10 Apple Inc. Software or other information integrity verification using variable block length and selection
US20080244569A1 (en) * 2007-03-30 2008-10-02 David Carroll Challener System and Method for Reporting the Trusted State of a Virtual Machine
US20090089860A1 (en) * 2004-11-29 2009-04-02 Signacert, Inc. Method and apparatus for lifecycle integrity verification of virtual machines

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5745678A (en) * 1994-12-13 1998-04-28 International Business Machines Corporation Method and system for the secured distribution of multimedia titles
US7120802B2 (en) * 1996-08-12 2006-10-10 Intertrust Technologies Corp. Systems and methods for using cryptography to protect secure computing environments
US6021510A (en) * 1997-11-24 2000-02-01 Symantec Corporation Antivirus accelerator
US20050235154A1 (en) * 1999-06-08 2005-10-20 Intertrust Technologies Corp. Systems and methods for authenticating and protecting the integrity of data streams and other data
US6748538B1 (en) * 1999-11-03 2004-06-08 Intel Corporation Integrity scanner
US7325145B1 (en) * 2000-02-18 2008-01-29 Microsoft Corporation Verifying the presence of an original data storage medium
US20040117616A1 (en) * 2002-12-16 2004-06-17 Silvester Kelan C. Method and mechanism for validating legitimate software calls into secure software
US20050132122A1 (en) * 2003-12-16 2005-06-16 Rozas Carlos V. Method, apparatus and system for monitoring system integrity in a trusted computing environment
US20070198838A1 (en) * 2004-04-02 2007-08-23 Masao Nonaka Unauthorized Contents Detection System
US20060026441A1 (en) * 2004-08-02 2006-02-02 Aaron Jeffrey A Methods, systems and computer program products for detecting tampering of electronic equipment by varying a verification process
US20090089860A1 (en) * 2004-11-29 2009-04-02 Signacert, Inc. Method and apparatus for lifecycle integrity verification of virtual machines
US20070204153A1 (en) * 2006-01-04 2007-08-30 Tome Agustin J Trusted host platform
US20080168564A1 (en) * 2007-01-08 2008-07-10 Apple Inc. Software or other information integrity verification using variable block length and selection
US20080244569A1 (en) * 2007-03-30 2008-10-02 David Carroll Challener System and Method for Reporting the Trusted State of a Virtual Machine

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100130253A1 (en) * 2008-11-25 2010-05-27 Research In Motion Limited System and method for over-the-air software loading in mobile device
US8463254B2 (en) * 2008-11-25 2013-06-11 Research In Motion Limited System and method for over-the-air software loading in mobile device
US20120266246A1 (en) * 2011-04-13 2012-10-18 International Business Machines Corporation Pinpointing security vulnerabilities in computer software applications
US8510842B2 (en) * 2011-04-13 2013-08-13 International Business Machines Corporation Pinpointing security vulnerabilities in computer software applications
US20120324236A1 (en) * 2011-06-16 2012-12-20 Microsoft Corporation Trusted Snapshot Generation
US8584235B2 (en) 2011-11-02 2013-11-12 Bitdefender IPR Management Ltd. Fuzzy whitelisting anti-malware systems and methods
US20140006868A1 (en) * 2012-06-29 2014-01-02 National Instruments Corporation Test Executive System With Offline Results Processing
US20140006867A1 (en) * 2012-06-29 2014-01-02 National Instruments Corporation Test Executive System With Process Model Plug-ins
GB2504134A (en) * 2012-07-20 2014-01-22 Metaswitch Networks Ltd Anti-virus checking of large multimedia messages
US11023329B1 (en) * 2012-09-05 2021-06-01 Acronis International Gmbh Systems and methods for the recovery of virtual machines
US20140149359A1 (en) * 2012-11-29 2014-05-29 Inventec Corporation System for verifying correctness of data when data are requested and method thereof
CN103856285A (en) * 2012-11-29 2014-06-11 英业达科技有限公司 System and method for verifying data correctness during data request making
US20140279943A1 (en) * 2013-03-18 2014-09-18 Fujitsu Limited File system verification method and information processing apparatus
US20150058625A1 (en) * 2013-08-23 2015-02-26 Qualcomm Incorporated Secure content delivery using hashing of pre-coded packets
US9680650B2 (en) * 2013-08-23 2017-06-13 Qualcomm Incorporated Secure content delivery using hashing of pre-coded packets
US9696940B1 (en) * 2013-12-09 2017-07-04 Forcepoint Federal Llc Technique for verifying virtual machine integrity using hypervisor-based memory snapshots
US9734325B1 (en) 2013-12-09 2017-08-15 Forcepoint Federal Llc Hypervisor-based binding of data to cloud environment for improved security
US9785492B1 (en) 2013-12-09 2017-10-10 Forcepoint Llc Technique for hypervisor-based firmware acquisition and analysis
US20150169901A1 (en) * 2013-12-12 2015-06-18 Sandisk Technologies Inc. Method and Systems for Integrity Checking a Set of Signed Data Sections
US20150302196A1 (en) * 2014-04-16 2015-10-22 Microsoft Corporation Local System Health Assessment
US20160057199A1 (en) * 2014-08-21 2016-02-25 Facebook, Inc. Systems and methods for transmitting a media file in multiple portions
CN112567371A (en) * 2018-08-17 2021-03-26 微芯片技术股份有限公司 Authentication of documents
WO2020036887A1 (en) * 2018-08-17 2020-02-20 Microchip Technology Incorporated Authentication of files
US11210413B2 (en) * 2018-08-17 2021-12-28 Microchip Technology Incorporated Authentication of files
WO2020094063A1 (en) * 2018-11-06 2020-05-14 中兴通讯股份有限公司 Data storage method and device, storage medium and electronic device
CN109768853A (en) * 2018-12-29 2019-05-17 百富计算机技术(深圳)有限公司 A kind of key component verification method, device and terminal device
US11455277B2 (en) 2019-03-27 2022-09-27 Nutanix Inc. Verifying snapshot integrity

Similar Documents

Publication Publication Date Title
US20100088745A1 (en) Method for checking the integrity of large data items rapidly
US9477614B2 (en) Sector map-based rapid data encryption policy compliance
JP5460698B2 (en) Secure application streaming
US8453257B2 (en) Approach for securing distributed deduplication software
US8595833B2 (en) Method and apparatus for determining software trustworthiness
US10356204B2 (en) Application based hardware identifiers
US10423791B2 (en) Enabling offline restart of shielded virtual machines using key caching
US8689279B2 (en) Encrypted chunk-based rapid data encryption policy compliance
EP2748752B1 (en) Digital signing authority dependent platform secret
US20110307711A1 (en) Device booting with an initial protection component
US11275834B1 (en) System for analyzing backups for threats and irregularities
US11170077B2 (en) Validating the integrity of application data using secure hardware enclaves
EP3514714A1 (en) Integrity verification of an entity
US7353386B2 (en) Method and device for authenticating digital data by means of an authentication extension module
CN109145604A (en) One kind extorting software intelligent detecting method and system
US20220083630A1 (en) Protecting an item of software
US9860230B1 (en) Systems and methods for digitally signing executables with reputation information
US20120191803A1 (en) Decommissioning factored code
US20050010752A1 (en) Method and system for operating system anti-tampering
CN110633579B (en) Bidding file online decryption result prediction method, system, device and storage medium
US8918873B1 (en) Systems and methods for exonerating untrusted software components
CN114546582A (en) Licensing for backup-related operations
CN114327657B (en) Large mirror image division downloading and signature verification method based on Fastboot and storage medium thereof
WO2019137614A1 (en) Apparatus and method for runtime integrity protection for execution environments
TWI740214B (en) Method of booting server

Legal Events

Date Code Title Description
AS Assignment

Owner name: FUJITSU LIMITED,JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SONG, ZHEXUAN;MOLINA, JESUS;REEL/FRAME:021995/0045

Effective date: 20081208

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION